Understanding Business Email Compromise (BEC): How to Spot It and What to Do
Business Email Compromise (BEC) is one of the most dangerous threats to businesses today. At 4BIS, were a seeing a massive increase in these attacks in the Cincinnati area. With cybercriminals becoming increasingly sophisticated, BEC can wreak havoc on a business, leading to devastating financial losses. We find many email users do not know how to spot the signs of a BEC. In this post, we’ll break down what BEC is, how to identify it, and what to do if you suspect your email account has been compromised.
What is Business Email Compromise?
BEC is an information-seeking scam that targets businesses through email. Unlike typical phishing attacks, BEC relies on a higher level of trust. Cybercriminals often pose as someone within a company or a trusted external contact, tricking the recipient into sharing sensitive information or transferring funds.
A common tactic is for the attacker to gain access to an email account of someone you’ve communicated with before. This creates a false sense of security, making it easier for the hacker to convince you to take action, like clicking on a fraudulent attachment or sending money. Once compromised, these email accounts are used to carry out more complex scams, targeting not just individuals but entire businesses.
A related threat is an Email Account Compromise (EAC), where your own account is taken over. If the compromised account belongs to an administrator, the consequences can be far-reaching, as they often have access to critical systems and sensitive information.
Please see our article on BEC’s to learn more about them. https://www.4bis.com/how-to-defend-against-the-growing-threat-of-business-email-compromise/
Signs Your Email May Have Been Compromised
Early detection is key to mitigating the damage caused by BEC. Below are some signs that your email may have been compromised:
- Emails Sent Without Your Knowledge: Hackers may send fraudulent emails from your account, then move or delete them to cover their tracks. If you find strange emails in your “deleted” or “recover deleted items” folders, this could be a sign of compromise.
- Missing Emails: If you’re expecting a reply that never comes or notice emails disappearing, your account may be compromised.
- Unusual Inbox Rules: One of the tactics used by cybercriminals is creating inbox rules to divert responses or hide certain communications. For example, rules may be set to move emails to obscure folders, mark them as read, or forward them without your knowledge. Regularly check your inbox rules in platforms like Microsoft Outlook.
- Unexpected Attachments: Attachments that don’t behave as expected might be compromised. They could be used to steal session tokens (your authenticated Office 365 session) or install malicious software. If this happens contact your IT team.
- Password Prompts: If you’re prompted to enter a password when you weren’t expecting it, stop immediately and alert your IT team.
- Suspicious Contact: If someone calls or emails you asking about messages they received from you that you didn’t send, this might be a sign of compromise. Make sure to the person that you did not send the email. We do not want them to open the links or attachments and spread the attack. Ask for screenshots to investigate further and alert your IT team.
- New Device Access Alerts: Alerts notifying you that a new device has accessed your email account, especially if you don’t recognize the device, are red flags.
- Strange OneDrive or SharePoint Activity: An example, that happed to a prospect of ours, noticed an old employee’s name moving within an Excel document on SharePoint. Upon investigation, they realized a hacker had used the account to access sensitive data. This was a document that contained passwords.
What to Do if Your Email is Compromised
If you suspect your email has been compromised, taking immediate action is critical. Here’s a step-by-step guide:
- Notify Your IT Team: Contact your IT team as soon as possible. They should have playbooks and processes in place to address this kind of threat. If your IT team lacks experience with BEC, consider reaching out to a cybersecurity specialist like 4BIS.
- Sign Out of All Sessions and Change Your Password: One of the first steps is to sign out of all sessions across devices and reset your password. Additionally, reconfigure your multifactor authentication (MFA) to lock out the attacker.
- Audit for Damage: Review audit logs for unusual activity. Check for logins from unfamiliar locations or devices, and review inbox rules, deleted items, and sent messages to see what the hacker has done. Run a message report to identify which emails were sent during the compromise period and which might be fraudulent.
- Understand What’s in Your Email: Sensitive information like passwords, banking details, or client data might be stored in your email. You’ll need to assess what information was compromised and take steps to mitigate further risk.
- Notify Legal and Cyber Insurance: Even if your cyber insurance doesn’t take immediate action, it’s essential to inform them about the security incident. Legal consultation might also be necessary, depending on the scope of the compromise.
How to Prevent Future BEC Incidents
Prevention is always better than a cure, especially in cybersecurity. Here are some best practices to reduce the risk of BEC:
- Use Multifactor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to gain access even if they have your password.
- Regularly Audit Inbox Rules: Periodically check your email’s rules and settings to ensure no unauthorized changes have been made.
- Employee Training: Make sure employees understand the risks of BEC and how to recognize phishing attempts, suspicious activity, and requests that seem out of the ordinary.
- Monitor for Unusual Logins: Set up alerts for logins from unexpected locations or devices.
- Secure Sensitive Information: Avoid storing sensitive information like passwords or bank details in your email. Use secure, encrypted methods for handling sensitive data.
Conclusion
Business Email Compromise is a serious threat that can result in financial losses and data breaches. By understanding the warning signs and knowing how to respond, you can help protect yourself from falling victim to these sophisticated scams. Stay vigilant, and ensure your team is well-versed in best practices to keep your email, and your business, secure.
Reach out to the 4BIS team if you have any questions about email security. We are fanatical about protecting Cincinnati area businesses and we want to help.